From 9762b264cc51292c737a9c6ba223f4e6ec33550d Mon Sep 17 00:00:00 2001 From: zottel Date: Wed, 8 Jan 2014 16:03:59 +0100 Subject: Add display of a thread to channel module using channel//?mid= --- mod/channel.php | 76 ++++++++++++++++++++++++++++++++++++--------------------- 1 file changed, 48 insertions(+), 28 deletions(-) (limited to 'mod/channel.php') diff --git a/mod/channel.php b/mod/channel.php index 149936dd7..5d7c24206 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -47,6 +47,8 @@ function channel_content(&$a, $update = 0, $load = false) { $category = $datequery = $datequery2 = ''; + $mid = $_GET['mid']; + $datequery = ((x($_GET,'dend') && is_a_date_arg($_GET['dend'])) ? notags($_GET['dend']) : ''); $datequery2 = ((x($_GET,'dbegin') && is_a_date_arg($_GET['dbegin'])) ? notags($_GET['dbegin']) : ''); @@ -102,7 +104,7 @@ function channel_content(&$a, $update = 0, $load = false) { ); - if($perms['post_wall']) { + if($perms['post_wall'] && (!$mid)) { $x = array( 'is_owner' => $is_owner, @@ -132,19 +134,24 @@ function channel_content(&$a, $update = 0, $load = false) { if(($update) && (! $load)) { - - $r = q("SELECT distinct parent AS `item_id` from item - left join abook on item.author_xchan = abook.abook_xchan - WHERE uid = %d AND item_restrict = 0 - AND (item_flags & %d) AND ( item_flags & %d ) - AND ((abook.abook_flags & %d) = 0 or abook.abook_flags is null) - $sql_extra - ORDER BY created DESC", - intval($a->profile['profile_uid']), - intval(ITEM_WALL), - intval(ITEM_UNSEEN), - intval(ABOOK_FLAG_BLOCKED) - ); + if ($mid) { + $r = q("SELECT parent AS item_id from item where mid = '%s' limit 1", + dbesc($mid) + ); + } else { + $r = q("SELECT distinct parent AS `item_id` from item + left join abook on item.author_xchan = abook.abook_xchan + WHERE uid = %d AND item_restrict = 0 + AND (item_flags & %d) AND ( item_flags & %d ) + AND ((abook.abook_flags & %d) = 0 or abook.abook_flags is null) + $sql_extra + ORDER BY created DESC", + intval($a->profile['profile_uid']), + intval(ITEM_WALL), + intval(ITEM_UNSEEN), + intval(ABOOK_FLAG_BLOCKED) + ); + } } else { @@ -166,19 +173,24 @@ function channel_content(&$a, $update = 0, $load = false) { $pager_sql = sprintf(" LIMIT %d, %d ",intval($a->pager['start']), intval($a->pager['itemspage'])); if($load || ($_COOKIE['jsAvailable'] != 1)) { - $r = q("SELECT distinct id AS item_id FROM item - left join abook on item.author_xchan = abook.abook_xchan - WHERE uid = %d AND item_restrict = 0 - AND (item_flags & %d) and (item_flags & %d) - AND ((abook.abook_flags & %d) = 0 or abook.abook_flags is null) - $sql_extra $sql_extra2 - ORDER BY created DESC $pager_sql ", - intval($a->profile['profile_uid']), - intval(ITEM_WALL), - intval(ITEM_THREAD_TOP), - intval(ABOOK_FLAG_BLOCKED) - - ); + if ($mid) { + $r = q("SELECT parent AS item_id from item where mid = '%s' limit 1", + dbesc($mid) + ); + } else { + $r = q("SELECT distinct id AS item_id FROM item + left join abook on item.author_xchan = abook.abook_xchan + WHERE uid = %d AND item_restrict = 0 + AND (item_flags & %d) and (item_flags & %d) + AND ((abook.abook_flags & %d) = 0 or abook.abook_flags is null) + $sql_extra $sql_extra2 + ORDER BY created DESC $pager_sql ", + intval($a->profile['profile_uid']), + intval(ITEM_WALL), + intval(ITEM_THREAD_TOP), + intval(ABOOK_FLAG_BLOCKED) + ); + } } else { $r = array(); @@ -202,6 +214,14 @@ function channel_content(&$a, $update = 0, $load = false) { $items = fetch_post_tags($items, true); $items = conv_sort($items,'created'); + if ($mid && (! count($items))) { + // This will happen if channel is called with a mid from another + // channel, if we don't have sufficient permissions to view the + // item, or if it doesn't exist. + // Do we need separate error messages for that? + notice( t('Item not found.') . EOL); + } + } else { $items = array(); } @@ -235,7 +255,7 @@ function channel_content(&$a, $update = 0, $load = false) { '$order' => '', '$file' => '', '$cats' => (($category) ? $category : ''), - '$mid' => '', + '$mid' => $mid, '$dend' => $datequery, '$dbegin' => $datequery2 )); -- cgit v1.2.3 From 79102218324e794bb7096e682d61841b570fc411 Mon Sep 17 00:00:00 2001 From: friendica Date: Wed, 8 Jan 2014 15:20:12 -0800 Subject: preparatory work for supporting a "list view" mode for conversations. This would be useful for forum-like channels and/or block-oriented themes. --- mod/channel.php | 1 + 1 file changed, 1 insertion(+) (limited to 'mod/channel.php') diff --git a/mod/channel.php b/mod/channel.php index 149936dd7..838107b96 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -233,6 +233,7 @@ function channel_content(&$a, $update = 0, $load = false) { '$page' => (($a->pager['page'] != 1) ? $a->pager['page'] : 1), '$search' => '', '$order' => '', + '$list' => ((x($_REQUEST,'list')) ? intval($_REQUEST['list']) : 0), '$file' => '', '$cats' => (($category) ? $category : ''), '$mid' => '', -- cgit v1.2.3 From a517a27d53cc3eb29c004279c73de84f764574aa Mon Sep 17 00:00:00 2001 From: zottel Date: Thu, 9 Jan 2014 16:06:33 +0100 Subject: fix a bug that made it possible for everyone to access any message from other channels using channel//?mid=... --- mod/channel.php | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'mod/channel.php') diff --git a/mod/channel.php b/mod/channel.php index 205a89fa3..27f1cbdc6 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -138,6 +138,17 @@ function channel_content(&$a, $update = 0, $load = false) { $r = q("SELECT parent AS item_id from item where mid = '%s' limit 1", dbesc($mid) ); +logger("update "); + if ($r) { + // make sure we don't show other people's posts from our matrix + $parent = q("SELECT owner_xchan from item where id = %d", + dbesc($r[0]['item_id']) + ); +logger("update "); +logger($parent); + if ($parent['owner_xchan'] != $a->profile['channel_hash']) + $r = array(); + } } else { $r = q("SELECT distinct parent AS `item_id` from item left join abook on item.author_xchan = abook.abook_xchan @@ -177,6 +188,7 @@ function channel_content(&$a, $update = 0, $load = false) { $r = q("SELECT parent AS item_id from item where mid = '%s' limit 1", dbesc($mid) ); +logger("load "); } else { $r = q("SELECT distinct id AS item_id FROM item left join abook on item.author_xchan = abook.abook_xchan @@ -197,6 +209,20 @@ function channel_content(&$a, $update = 0, $load = false) { } } + if ($mid && $r) { + // make sure we don't show other people's posts from our matrix + // as $a->profile['channel_hash'] isn't set when a JS query comes in + // we have to do that with a join + $ismine = q("SELECT * from item + join channel on item.owner_xchan = channel.channel_hash + where item.id = %d and channel.channel_id = %d", + dbesc($r[0]['item_id']), + intval($a->profile['profile_uid']) + ); + if (!$ismine) + $r = array(); + } + if($r) { $parents_str = ids_to_querystr($r,'item_id'); -- cgit v1.2.3 From ab81458768f5989779e2ae1e74bfc5ba2d0bac0c Mon Sep 17 00:00:00 2001 From: zottel Date: Thu, 9 Jan 2014 16:18:17 +0100 Subject: took out some left-overs from the debugging phase --- mod/channel.php | 12 ------------ 1 file changed, 12 deletions(-) (limited to 'mod/channel.php') diff --git a/mod/channel.php b/mod/channel.php index 27f1cbdc6..458783b18 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -138,17 +138,6 @@ function channel_content(&$a, $update = 0, $load = false) { $r = q("SELECT parent AS item_id from item where mid = '%s' limit 1", dbesc($mid) ); -logger("update "); - if ($r) { - // make sure we don't show other people's posts from our matrix - $parent = q("SELECT owner_xchan from item where id = %d", - dbesc($r[0]['item_id']) - ); -logger("update "); -logger($parent); - if ($parent['owner_xchan'] != $a->profile['channel_hash']) - $r = array(); - } } else { $r = q("SELECT distinct parent AS `item_id` from item left join abook on item.author_xchan = abook.abook_xchan @@ -188,7 +177,6 @@ logger($parent); $r = q("SELECT parent AS item_id from item where mid = '%s' limit 1", dbesc($mid) ); -logger("load "); } else { $r = q("SELECT distinct id AS item_id FROM item left join abook on item.author_xchan = abook.abook_xchan -- cgit v1.2.3 From 5ee5bda998b47e82586c47de1d325508b57cefe5 Mon Sep 17 00:00:00 2001 From: zottel Date: Thu, 9 Jan 2014 17:06:28 +0100 Subject: fix notices --- mod/channel.php | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) (limited to 'mod/channel.php') diff --git a/mod/channel.php b/mod/channel.php index 458783b18..8e44a329b 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -177,6 +177,10 @@ function channel_content(&$a, $update = 0, $load = false) { $r = q("SELECT parent AS item_id from item where mid = '%s' limit 1", dbesc($mid) ); + if (! $r) { + notice( t('Item not found.') . EOL); + } + } else { $r = q("SELECT distinct id AS item_id FROM item left join abook on item.author_xchan = abook.abook_xchan @@ -207,8 +211,11 @@ function channel_content(&$a, $update = 0, $load = false) { dbesc($r[0]['item_id']), intval($a->profile['profile_uid']) ); - if (!$ismine) + if (!$ismine) { + if ($load) + notice( t('Permission denied.') . EOL); $r = array(); + } } if($r) { @@ -228,12 +235,10 @@ function channel_content(&$a, $update = 0, $load = false) { $items = fetch_post_tags($items, true); $items = conv_sort($items,'created'); - if ($mid && (! count($items))) { - // This will happen if channel is called with a mid from another - // channel, if we don't have sufficient permissions to view the - // item, or if it doesn't exist. - // Do we need separate error messages for that? - notice( t('Item not found.') . EOL); + if ($load && $mid && (! count($items))) { + // This will happen if we don't have sufficient permissions + // to view the parent item (or the item itself if it is toplevel) + notice( t('Permission denied.') . EOL); } } else { -- cgit v1.2.3 From db8ebc9f375478bddc0f48d972e3acfbde80685a Mon Sep 17 00:00:00 2001 From: friendica Date: Thu, 9 Jan 2014 15:45:17 -0800 Subject: some minor cleanup on plinks for some very subtle permissions issues --- mod/channel.php | 24 ++++-------------------- 1 file changed, 4 insertions(+), 20 deletions(-) (limited to 'mod/channel.php') diff --git a/mod/channel.php b/mod/channel.php index 8e44a329b..20f6fec18 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -104,7 +104,7 @@ function channel_content(&$a, $update = 0, $load = false) { ); - if($perms['post_wall'] && (!$mid)) { + if($perms['post_wall']) { $x = array( 'is_owner' => $is_owner, @@ -135,8 +135,9 @@ function channel_content(&$a, $update = 0, $load = false) { if(($update) && (! $load)) { if ($mid) { - $r = q("SELECT parent AS item_id from item where mid = '%s' limit 1", - dbesc($mid) + $r = q("SELECT parent AS item_id from item where mid = '%s' and uid = %d $sql_extra limit 1", + dbesc($mid), + intval($a->profile['profile_uid']) ); } else { $r = q("SELECT distinct parent AS `item_id` from item @@ -201,23 +202,6 @@ function channel_content(&$a, $update = 0, $load = false) { } } - if ($mid && $r) { - // make sure we don't show other people's posts from our matrix - // as $a->profile['channel_hash'] isn't set when a JS query comes in - // we have to do that with a join - $ismine = q("SELECT * from item - join channel on item.owner_xchan = channel.channel_hash - where item.id = %d and channel.channel_id = %d", - dbesc($r[0]['item_id']), - intval($a->profile['profile_uid']) - ); - if (!$ismine) { - if ($load) - notice( t('Permission denied.') . EOL); - $r = array(); - } - } - if($r) { $parents_str = ids_to_querystr($r,'item_id'); -- cgit v1.2.3 From 0fef87cb43376289c39ddb0e30ee7a35fa97086d Mon Sep 17 00:00:00 2001 From: friendica Date: Fri, 10 Jan 2014 00:58:53 -0800 Subject: security fix for channel?mid= per zottel --- mod/channel.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'mod/channel.php') diff --git a/mod/channel.php b/mod/channel.php index 20f6fec18..dac4ba2bf 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -135,9 +135,11 @@ function channel_content(&$a, $update = 0, $load = false) { if(($update) && (! $load)) { if ($mid) { - $r = q("SELECT parent AS item_id from item where mid = '%s' and uid = %d $sql_extra limit 1", + $r = q("SELECT parent AS item_id from item where mid = '%s' and uid = %d AND item_restrict = 0 + AND (item_flags & %d) $sql_extra limit 1", dbesc($mid), - intval($a->profile['profile_uid']) + intval($a->profile['profile_uid']), + intval(ITEM_WALL) ); } else { $r = q("SELECT distinct parent AS `item_id` from item -- cgit v1.2.3 From ea511c67c7b4d67cb98a92d6e86c634e6b37dc64 Mon Sep 17 00:00:00 2001 From: zottel Date: Fri, 10 Jan 2014 13:38:38 +0100 Subject: add security fix to load case, too --- mod/channel.php | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'mod/channel.php') diff --git a/mod/channel.php b/mod/channel.php index dac4ba2bf..a936650f3 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -141,6 +141,9 @@ function channel_content(&$a, $update = 0, $load = false) { intval($a->profile['profile_uid']), intval(ITEM_WALL) ); + if (! $r) { + notice( t('Permission denied.') . EOL); + } } else { $r = q("SELECT distinct parent AS `item_id` from item left join abook on item.author_xchan = abook.abook_xchan @@ -177,11 +180,14 @@ function channel_content(&$a, $update = 0, $load = false) { if($load || ($_COOKIE['jsAvailable'] != 1)) { if ($mid) { - $r = q("SELECT parent AS item_id from item where mid = '%s' limit 1", - dbesc($mid) + $r = q("SELECT parent AS item_id from item where mid = '%s' and uid = %d AND item_restrict = 0 + AND (item_flags & %d) $sql_extra limit 1", + dbesc($mid), + intval($a->profile['profile_uid']), + intval(ITEM_WALL) ); if (! $r) { - notice( t('Item not found.') . EOL); + notice( t('Permission denied.') . EOL); } } else { -- cgit v1.2.3 From 1c315caa28eb991469e122fb7f8650f411152b13 Mon Sep 17 00:00:00 2001 From: zottel Date: Fri, 10 Jan 2014 13:41:25 +0100 Subject: and don't send duplicate notices --- mod/channel.php | 3 --- 1 file changed, 3 deletions(-) (limited to 'mod/channel.php') diff --git a/mod/channel.php b/mod/channel.php index a936650f3..6e82eb1e7 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -141,9 +141,6 @@ function channel_content(&$a, $update = 0, $load = false) { intval($a->profile['profile_uid']), intval(ITEM_WALL) ); - if (! $r) { - notice( t('Permission denied.') . EOL); - } } else { $r = q("SELECT distinct parent AS `item_id` from item left join abook on item.author_xchan = abook.abook_xchan -- cgit v1.2.3 From ea606869a6ece5d13a3d4fd60d1bb6d6e30de439 Mon Sep 17 00:00:00 2001 From: friendica Date: Mon, 20 Jan 2014 17:45:02 -0800 Subject: when loading a single thread on the channel page, tell JS that there isn't any more content to load. --- mod/channel.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'mod/channel.php') diff --git a/mod/channel.php b/mod/channel.php index 6e82eb1e7..34a1e2dda 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -136,10 +136,11 @@ function channel_content(&$a, $update = 0, $load = false) { if(($update) && (! $load)) { if ($mid) { $r = q("SELECT parent AS item_id from item where mid = '%s' and uid = %d AND item_restrict = 0 - AND (item_flags & %d) $sql_extra limit 1", + AND (item_flags & %d) AND (item_flags & %d) $sql_extra limit 1", dbesc($mid), intval($a->profile['profile_uid']), - intval(ITEM_WALL) + intval(ITEM_WALL), + intval(ITEM_UNSEEN) ); } else { $r = q("SELECT distinct parent AS `item_id` from item @@ -295,5 +296,8 @@ function channel_content(&$a, $update = 0, $load = false) { if((! $update) || ($_COOKIE['jsAvailable'] != 1)) $o .= alt_pager($a,count($items)); + if($mid) + $o .= '
'; + return $o; } -- cgit v1.2.3 From 3b375a3d3f6d0d7fef885edcc75097564a1f7987 Mon Sep 17 00:00:00 2001 From: friendica Date: Tue, 21 Jan 2014 23:09:33 -0800 Subject: fix location of string file in Translations.md, fix some permissions and owner vagueness (potential bugs) in profile_tabs() --- mod/channel.php | 1 + 1 file changed, 1 insertion(+) (limited to 'mod/channel.php') diff --git a/mod/channel.php b/mod/channel.php index 34a1e2dda..7e2b6d7c5 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -28,6 +28,7 @@ function channel_init(&$a) { $profile = 0; $channel = $a->get_channel(); +logger('channel: ' . $channel['channel_name']); if((local_user()) && (argc() > 2) && (argv(2) === 'view')) { $which = $channel['channel_address']; -- cgit v1.2.3 From 3f49114a05f51b4d7ad11898e75fe512c9a9e774 Mon Sep 17 00:00:00 2001 From: friendica Date: Tue, 21 Jan 2014 23:12:03 -0800 Subject: remove debugging --- mod/channel.php | 1 - 1 file changed, 1 deletion(-) (limited to 'mod/channel.php') diff --git a/mod/channel.php b/mod/channel.php index 7e2b6d7c5..34a1e2dda 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -28,7 +28,6 @@ function channel_init(&$a) { $profile = 0; $channel = $a->get_channel(); -logger('channel: ' . $channel['channel_name']); if((local_user()) && (argc() > 2) && (argv(2) === 'view')) { $which = $channel['channel_address']; -- cgit v1.2.3